French data protection authority CNIL has issued a €250,000 fine against Optical Center in relation to a complaint about a “significant data leak” in July 2017.
According to CNIL’s report, it was possible for unauthorised users to access over 334,000 documents containing personal information. The website provided access to invoices directly through a web browser, without a system of ensuring that customers could only access their own invoice.
This meant that users could guess document naming patterns to manually enter URLs and access other invoices, which included a wealth of personal information such as last name, first name, postal address, health information and, in some cases, social security numbers.
The decision about the fine was made in May this year, but has only recently been made public. It is the second fine issued by CNIL against Optical Center – in 2015 the company was fined €50,000 after a customer complaint about password security. The fact that the latest breach was a second offence was noted in CNIL’s report on the matter, and was linked to the fine being considerably higher on this occasion.
The company could have been faced with even greater costs had the breach occurred after GDPR came into effect, though under French law CNIL was allowed to “anticipate the impact” of GDPR when setting the fine.